Skip to content

Container Security Scan ReportΒΆ

This document contains CVE (Common Vulnerabilities and Exposures) scan results for all Platform-Mesh container images.

OverviewΒΆ

Security scanning is performed using Sysdig to identify known vulnerabilities in container images. This report compares the current release (0.1.1) against the latest upstream versions.

Critical Security Alert

15 of 37 images (41%) in the current deployment have critical CVEs. Immediate action required for production deployments.

Key FindingsΒΆ

Severity Release 0.1.1 Upstream Improvement
πŸ”΄ Critical 15 images 8 images 47% reduction by updating
🟠 High 22 images 18 images 18% reduction by updating
🟒 Clean 0 images 11 images Significant improvement available

Quick Wins

Updating to upstream versions eliminates 7 images with critical CVEs without any code changes: - Traefik: 4 critical β†’ 0 - Mailpit: 6 critical β†’ 4 (partial improvement) - Flux controllers: 4-7 critical β†’ 4 (moderate improvement) - cert-manager: 0 critical β†’ 0 (eliminates 5 high CVEs)

Release 0.1.1 Scan ResultsΒΆ

Scan MetadataΒΆ

  • Scan Date: Thu Jan 29 07:43:50 CET 2026
  • Total Images Scanned: 37
  • Scanner: Sysdig
  • Environment: Local-Setup 0.1.1 (Running State)

Severity DistributionΒΆ

Severity Level Count Percentage
πŸ”΄ Critical (1+ Critical CVEs) 15 41%
🟠 High (0 Critical, 1+ High) 21 57%
🟒 OK (0 Critical, 0 High) 1 3%

Priority Images for Remediation

Top 5 most vulnerable images (by total CVE count):

1. **Keycloak** - 4 critical, 44 high, 51 medium (120 total)
2. **PostgreSQL (old)** - 7 critical, 44 high, 34 medium (102 total)
3. **PostgreSQL (new)** - 7 critical, 35 high, 20 medium (80 total)
4. **etcd** - 0 critical, 91 high, 25 medium (116 total)
5. **Flux Kustomize** - 7 critical, 38 high, 14 medium (71 total)

Complete Vulnerability ReportΒΆ

Image Critical High Medium Low Status
docker.io:axllent:mailpit:v1.27.9 6 33 4 6 πŸ”΄ Critical
docker.io:kindest:kindnetd:v20250512-df8de77b 2 33 13 2 πŸ”΄ Critical
docker.io:kindest:local-path-provisioner:v20250214-acbabc1a 2 41 18 1 πŸ”΄ Critical
docker.io:openfga:openfga:v1.9.0 0 30 12 0 🟠 High
docker.io:traefik:v3.6.0 4 20 3 6 πŸ”΄ Critical
europe-docker.pkg.dev:gardener-project:public:gardener:etcd-druid:latest 0 2 0 0 🟠 High
europe-docker.pkg.dev:gardener-project:public:gardener:etcd-wrapper:v0.6.0 0 5 4 0 🟠 High
europe-docker.pkg.dev:gardener-project:public:gardener:etcdbrctl:v0.40.0 0 5 4 0 🟠 High
ghcr.io:fluxcd:helm-controller:v1.4.2 6 27 3 6 πŸ”΄ Critical
ghcr.io:fluxcd:kustomize-controller:v1.7.1 7 38 14 12 πŸ”΄ Critical
ghcr.io:fluxcd:source-controller:v1.7.2 6 29 3 6 πŸ”΄ Critical
ghcr.io:kcp-dev:kcp-operator:v0.3.0 0 2 0 0 🟠 High
ghcr.io:kcp-dev:kcp:v0.29.0 0 41 6 0 🟠 High
ghcr.io:open-component-model:kubernetes:controller@sha256:5e790dad020adcfd0793f249d177a28429ef22446def39c9286eab90c52175c1 0 4 0 0 🟠 High
ghcr.io:platform-mesh:account-operator:v0.5.32 0 10 2 0 🟠 High
ghcr.io:platform-mesh:extension-manager-operator:v0.2.151 0 10 2 0 🟠 High
ghcr.io:platform-mesh:images:postgresql:15.4.0-debian-11-r45 7 44 34 17 πŸ”΄ Critical
ghcr.io:platform-mesh:kubernetes-graphql-gateway:v0.3.4 0 2 0 0 🟠 High
ghcr.io:platform-mesh:marketplace-ui:v0.6.2 5 22 3 6 πŸ”΄ Critical
ghcr.io:platform-mesh:platform-mesh-operator:v0.26.3 0 0 0 0 🟒 OK
ghcr.io:platform-mesh:portal:v0.16.132 5 25 10 6 πŸ”΄ Critical
ghcr.io:platform-mesh:rebac-authz-webhook:v0.2.94 0 2 0 0 🟠 High
ghcr.io:platform-mesh:security-operator:v0.10.9 0 4 0 0 🟠 High
ghcr.io:platform-mesh:upstream-images:keycloak:26.3.3-debian-12-r0 4 44 51 21 πŸ”΄ Critical
ghcr.io:platform-mesh:upstream-images:postgresql:17.6.0-debian-12-r4 7 35 20 18 πŸ”΄ Critical
quay.io:jetstack:cert-manager-cainjector:v1.19.1 0 5 0 0 🟠 High
quay.io:jetstack:cert-manager-controller:v1.19.1 0 5 0 0 🟠 High
quay.io:jetstack:cert-manager-webhook:v1.19.1 0 5 0 0 🟠 High
registry.k8s.io:coredns:coredns:v1.12.1 0 17 8 0 🟠 High
registry.k8s.io:etcd:3.6.4-0 0 91 25 0 🟠 High
registry.k8s.io:kro:kro:v0.6.3 0 2 0 0 🟠 High
registry.k8s.io:kube-apiserver:v1.34.0 0 24 4 0 🟠 High
registry.k8s.io:kube-controller-manager:v1.34.0 0 24 4 0 🟠 High
registry.k8s.io:kube-proxy:v1.34.0 2 32 6 2 πŸ”΄ Critical
registry.k8s.io:kube-scheduler:v1.34.0 0 23 4 0 🟠 High
xpkg.crossplane.io:crossplane:crossplane:v1.20.1 0 16 5 0 🟠 High
xpkg.upbound.io:crossplane-contrib:provider-keycloak:v2.7.2 0 13 2 0 🟠 High

Upstream Versions Scan ResultsΒΆ

This section shows vulnerability scan results for the latest available upstream versions of each image. This comparison demonstrates the security improvements available by updating.

Scan MetadataΒΆ

  • Scan Date: Thu Jan 29 07:43:50 CET 2026
  • Total Images Scanned: 37
  • Scanner: Sysdig
  • Purpose: Comparison baseline to measure update benefits

Improvement SummaryΒΆ

Metric Current (0.1.1) Upstream Change
Images with Critical CVEs 15 8 🟒 -7 (-47%)
Images with High CVEs 21 18 🟒 -3 (-14%)
Images with 0 CVEs 1 11 🟒 +10 (+1000%)
Total Critical CVEs 76 36 🟒 -40 (-53%)

Update Benefits

Updating to upstream versions provides:

- **53% reduction** in critical CVEs
- **11 images become CVE-free** (vs 1 currently)
- **Zero critical CVEs** for infrastructure components (cert-manager, Traefik, CoreDNS, etcd)

Complete Upstream Vulnerability ReportΒΆ

Image Critical High Medium Low Status
docker.io:axllent:mailpit:v1.28.4 4 16 2 0 πŸ”΄ Critical
docker.io:kindest:kindnetd:v20250512-df8de77b 2 33 13 2 πŸ”΄ Critical
docker.io:kindest:local-path-provisioner:v20250214-acbabc1a 2 41 18 1 πŸ”΄ Critical
docker.io:openfga:openfga:v1.11.3 0 0 0 0 🟒 OK
docker.io:traefik:v3.6.7 0 0 0 0 🟒 OK
europe-docker.pkg.dev:gardener-project:public:gardener:etcd-druid:v0.34.0 0 2 0 0 🟠 High
europe-docker.pkg.dev:gardener-project:public:gardener:etcd-wrapper:v0.6.0 0 5 4 0 🟠 High
europe-docker.pkg.dev:gardener-project:public:gardener:etcdbrctl:v0.40.0 0 5 4 0 🟠 High
ghcr.io:fluxcd:helm-controller:v1.4.5 4 20 2 6 πŸ”΄ Critical
ghcr.io:fluxcd:kustomize-controller:v1.7.3 4 32 14 12 πŸ”΄ Critical
ghcr.io:fluxcd:source-controller:v1.7.4 4 22 2 6 πŸ”΄ Critical
ghcr.io:kcp-dev:kcp-operator:v0.4.0 0 0 0 0 🟒 OK
ghcr.io:kcp-dev:kcp:v0.29.0 0 41 6 0 🟠 High
ghcr.io:open-component-model:kubernetes:controller:v0.28.0 0 0 0 0 🟒 OK
ghcr.io:platform-mesh:account-operator:v0.9.1 0 10 2 0 🟠 High
ghcr.io:platform-mesh:extension-manager-operator:v0.4.128 0 10 2 0 🟠 High
ghcr.io:platform-mesh:images:postgresql:17.6.0-debian-12-r4 9 37 20 18 πŸ”΄ Critical
ghcr.io:platform-mesh:kubernetes-graphql-gateway:v0.7.5 0 0 0 0 🟒 OK
ghcr.io:platform-mesh:marketplace-ui:v0.6.2 5 22 3 6 πŸ”΄ Critical
ghcr.io:platform-mesh:platform-mesh-operator:v0.47.1 0 0 0 0 🟒 OK
ghcr.io:platform-mesh:portal:v0.16.174 5 19 7 0 πŸ”΄ Critical
ghcr.io:platform-mesh:rebac-authz-webhook:v0.2.142 0 0 0 0 🟒 OK
ghcr.io:platform-mesh:security-operator:v0.18.2 0 0 0 0 🟒 OK
ghcr.io:platform-mesh:upstream-images:keycloak:26.5.2-debian-12-r0 4 24 34 19 πŸ”΄ Critical
ghcr.io:platform-mesh:upstream-images:postgresql:17.6.0-debian-12-r4 7 35 20 18 πŸ”΄ Critical
quay.io:jetstack:cert-manager-cainjector:v1.19.2 0 0 0 0 🟒 OK
quay.io:jetstack:cert-manager-controller:v1.19.2 0 0 0 0 🟒 OK
quay.io:jetstack:cert-manager-webhook:v1.19.2 0 0 0 0 🟒 OK
registry.k8s.io:coredns:coredns:v1.14.1 0 0 0 0 🟒 OK
registry.k8s.io:etcd:3.6.7 0 0 0 0 🟒 OK
registry.k8s.io:kro:kro:v0.8.1 0 2 0 0 🟠 High
registry.k8s.io:kube-apiserver:v1.34.0 0 24 4 0 🟠 High
registry.k8s.io:kube-controller-manager:v1.34.0 0 24 4 0 🟠 High
registry.k8s.io:kube-proxy:v1.34.0 2 32 6 2 πŸ”΄ Critical
registry.k8s.io:kube-scheduler:v1.34.0 0 23 4 0 🟠 High
xpkg.crossplane.io:crossplane:crossplane:v2.1.3 0 12 3 0 🟠 High
xpkg.upbound.io:crossplane-contrib:provider-keycloak:v2.14.0 0 0 0 0 🟒 OK

Remediation RecommendationsΒΆ

Immediate Actions (Critical Priority)ΒΆ

  1. Update PostgreSQL images immediately
  2. Current: 7 critical CVEs in both versions
  3. Impact: Database vulnerabilities affect Keycloak and OpenFGA

  4. Action: Consolidate to PostgreSQL 17.6.0-debian-12-r4 and monitor for patches

  5. Update infrastructure components

  6. Traefik: v3.6.0 β†’ v3.6.7 (eliminates 4 critical CVEs)
  7. Flux controllers: Update all three (eliminates 4-7 critical CVEs each)

  8. Cert-manager: Update to v1.19.2 (eliminates 5 high CVEs)

  9. Replace Mailpit and legacy components

  10. Mailpit: v1.27.9 β†’ v1.28.4 (reduces 6 critical to 4)
  11. Consider Chainguard alternatives where available

Short-term Actions (High Priority)ΒΆ

  1. Evaluate Chainguard migration
  2. See findings.md for detailed comparison
  3. Start with low-risk infrastructure images

  4. Potential for 88-100% CVE reduction on 18 images

  5. Standardize base images

  6. Multiple PostgreSQL versions create maintenance burden
  7. Inconsistent Debian versions (11 vs 12)

  8. Builder images need hardening (golang:1.25 β†’ distroless)

  9. Update Platform-Mesh operators

  10. Several operators 4-21 minor versions behind
  11. Security-operator: v0.10.9 β†’ v0.18.2 (eliminate 4 high CVEs)
  12. Platform-mesh-operator: v0.26.3 β†’ v0.47.1 (significant updates)

Long-term ActionsΒΆ

  1. Establish CVE scanning in CI/CD
  2. Automated scanning on all commits
  3. Block images with critical CVEs

  4. Regular update cadence for dependencies

  5. Implement image signing

  6. Required for supply chain security (SLSA Level 2+)
  7. Integrate with OCM component descriptors

  8. Enable verification in deployments

  9. Create security policy

  10. Define acceptable CVE thresholds
  11. SLA for patching critical vulnerabilities
  12. Process for emergency updates

Report Generated: 2026-01-29 07:43:50 CET Scanner: Sysdig Report Version: 1.0